Why “Preservation of Life” Should be the Fourth Pillar of the CIA Triad

Many InfoSec professionals are familiar with the CIA triad, a longstanding model for information security policy within an organization. The three elements of the triad— Confidentiality, Integrity, and Availability—are considered the three most critical “pillars” of a security program.

Interested in a checklist to see how ready you are for an ISO 27001 certification audit? It's a little more complicated than just checking off a few boxes.

As the industry continues to evolve and move further into the Internet of Things (IoT) model, likewise the associated security vulnerabilities and threats continue to evolve including those that directly threaten public and personal safety and survival. With this in mind maybe it’s time the industry looks to add a fourth pillar to the model: Preservation of Life.

Preservation of Life is A Basic Information Security Issue

Conventional cyber attacks threaten our personal privacy, corporate trade secrets, access to data, authenticity, and accuracy of data, and so on. But the advent of IoT changes all that. Now medical devices, vehicles, robotic equipment, industrial process technology, building systems, utility meters and a bewildering and growing litany of other “things” are connected to the internet. And, as we’re learning, many of these devices are wide open to being hacked.

Ironically, some of the IoT devices intended to enhance safety, like security cameras, are among the most dangerous from a cybersecurity perspective. Medical devices, vehicles, and aircraft likewise offer attack surfaces, and successful hacks against them have been well publicized.

In healthcare specifically, cybersecurity issues go well beyond protecting patient data. As hackers increasingly target hospitals with ransomware attacks, for example, the implications of losing access to critical systems and data include direct threats to patient safety. Shouldn’t the healthcare industry be factoring potential loss of life into its information security risk assessments and investments?

As our world becomes “smarter,” more connected and therefore more vulnerable to software-driven assaults, isn’t it high time we openly acknowledge and address the danger not just to our data and our money but our very lives? Making Preservation of Life a fundamental tenet of information security would hopefully drive IoT device manufacturers to build in more security upfront, and make end-users of IoT devices more aware of the security implications of deploying them.

By understanding the true extent of the risk to safety and the environment that attacks on IoT devices represent, we can better plan cybersecurity and other technology investments to mitigate these risks. In turn, we would place more focus on the special security considerations for IoT systems in areas like testing and patching, for example. We would also see more aggressive government regulation of IoT security based on justified concern for public safety.

What thoughts do you have about expanding the longstanding CIA security model to encompass Preservation of Life? Please comment and share your ideas.